Files
|
File Path
|
Type
|
Category
|
Malicious
|
|
|---|---|---|---|---|
|
6sg60cSBIQ.dll
|
PE32+ executable (DLL) (console) x86-64, for MS Windows
|
initial sample
|
 |
|
|
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_6sg_3152e4b3bd5a32c92a13e818e4165ed38ed22690_24c13995_187d3e90-249f-4e4d-9a2a-3747a8ce9b7f\Report.wer
|
Unicode text, UTF-16, little-endian text, with CRLF line terminators
|
dropped
|
||
|
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_6sg_3152e4b3bd5a32c92a13e818e4165ed38ed22690_24c13995_f6cd8a97-c47f-4df6-9340-375c5d76d18a\Report.wer
|
Unicode text, UTF-16, little-endian text, with CRLF line terminators
|
dropped
|
||
|
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_6sg_3784abb0c760c4a0da83b9de70b0523f3255b47_24c13995_0470cc9b-4e1b-4912-a759-6b38fad3ff74\Report.wer
|
Unicode text, UTF-16, little-endian text, with CRLF line terminators
|
dropped
|
||
|
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_6sg_3784abb0c760c4a0da83b9de70b0523f3255b47_24c13995_a04d76f8-d874-47c2-a198-cd97fde122a0\Report.wer
|
Unicode text, UTF-16, little-endian text, with CRLF line terminators
|
dropped
|
||
|
C:\ProgramData\Microsoft\Windows\WER\Temp\WER8DAF.tmp.dmp
|
Mini DuMP crash report, 14 streams, Thu Mar 28 15:18:54 2024, 0x1205a4 type
|
dropped
|
||
|
C:\ProgramData\Microsoft\Windows\WER\Temp\WER8E2D.tmp.WERInternalMetadata.xml
|
XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
|
dropped
|
||
|
C:\ProgramData\Microsoft\Windows\WER\Temp\WER8E5D.tmp.xml
|
XML 1.0 document, ASCII text, with CRLF line terminators
|
dropped
|
||
|
C:\ProgramData\Microsoft\Windows\WER\Temp\WER98CB.tmp.dmp
|
Mini DuMP crash report, 14 streams, Thu Mar 28 15:18:57 2024, 0x1205a4 type
|
dropped
|
||
|
C:\ProgramData\Microsoft\Windows\WER\Temp\WER992A.tmp.WERInternalMetadata.xml
|
XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
|
dropped
|
||
|
C:\ProgramData\Microsoft\Windows\WER\Temp\WER9969.tmp.xml
|
XML 1.0 document, ASCII text, with CRLF line terminators
|
dropped
|
||
|
C:\ProgramData\Microsoft\Windows\WER\Temp\WERA510.tmp.dmp
|
Mini DuMP crash report, 14 streams, Thu Mar 28 15:19:00 2024, 0x1205a4 type
|
dropped
|
||
|
C:\ProgramData\Microsoft\Windows\WER\Temp\WERA52F.tmp.dmp
|
Mini DuMP crash report, 14 streams, Thu Mar 28 15:19:00 2024, 0x1205a4 type
|
dropped
|
||
|
C:\ProgramData\Microsoft\Windows\WER\Temp\WERA5BC.tmp.WERInternalMetadata.xml
|
XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
|
dropped
|
||
|
C:\ProgramData\Microsoft\Windows\WER\Temp\WERA5DC.tmp.WERInternalMetadata.xml
|
XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
|
dropped
|
||
|
C:\ProgramData\Microsoft\Windows\WER\Temp\WERA5EC.tmp.xml
|
XML 1.0 document, ASCII text, with CRLF line terminators
|
dropped
|
||
|
C:\ProgramData\Microsoft\Windows\WER\Temp\WERA63A.tmp.xml
|
XML 1.0 document, ASCII text, with CRLF line terminators
|
dropped
|
||
|
C:\Windows\appcompat\Programs\Amcache.hve
|
MS Windows registry file, NT/2000 or above
|
dropped
|
There are 8 hidden files, click here to show them.
Processes
|
Path
|
Cmdline
|
Malicious
|
|
|---|---|---|---|
|
C:\Windows\System32\loaddll64.exe
|
loaddll64.exe "C:\Users\user\Desktop\6sg60cSBIQ.dll"
|
||
|
C:\Windows\System32\conhost.exe
|
C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
|
||
|
C:\Windows\System32\cmd.exe
|
cmd.exe /C rundll32.exe "C:\Users\user\Desktop\6sg60cSBIQ.dll",#1
|
||
|
C:\Windows\System32\rundll32.exe
|
rundll32.exe C:\Users\user\Desktop\6sg60cSBIQ.dll,Hdooie
|
||
|
C:\Windows\System32\rundll32.exe
|
rundll32.exe "C:\Users\user\Desktop\6sg60cSBIQ.dll",#1
|
||
|
C:\Windows\System32\rundll32.exe
|
rundll32.exe C:\Users\user\Desktop\6sg60cSBIQ.dll,_invalid_parameter_noinfo_noreturn
|
||
|
C:\Windows\System32\WerFault.exe
|
C:\Windows\system32\WerFault.exe -u -p 7460 -s 336
|
||
|
C:\Windows\System32\rundll32.exe
|
rundll32.exe C:\Users\user\Desktop\6sg60cSBIQ.dll,abort
|
||
|
C:\Windows\System32\WerFault.exe
|
C:\Windows\system32\WerFault.exe -u -p 7636 -s 328
|
||
|
C:\Windows\System32\rundll32.exe
|
rundll32.exe "C:\Users\user\Desktop\6sg60cSBIQ.dll",Hdooie
|
||
|
C:\Windows\System32\rundll32.exe
|
rundll32.exe "C:\Users\user\Desktop\6sg60cSBIQ.dll",_invalid_parameter_noinfo_noreturn
|
||
|
C:\Windows\System32\rundll32.exe
|
rundll32.exe "C:\Users\user\Desktop\6sg60cSBIQ.dll",abort
|
||
|
C:\Windows\System32\WerFault.exe
|
C:\Windows\system32\WerFault.exe -u -p 7756 -s 340
|
||
|
C:\Windows\System32\WerFault.exe
|
C:\Windows\system32\WerFault.exe -u -p 7772 -s 336
|
There are 4 hidden processes, click here to show them.
URLs
|
Name
|
IP
|
Malicious
|
|
|---|---|---|---|
|
http://upx.sf.net
|
unknown
|
Domains
|
Name
|
IP
|
Malicious
|
|
|---|---|---|---|
|
windowsupdatebg.s.llnwi.net
|
69.164.0.128
|
Registry
|
Path
|
Value
|
Malicious
|
|
|---|---|---|---|
|
\REGISTRY\A\{b415100e-cee9-bdb0-6719-b008f86f6dd1}\Root\InventoryApplicationFile\rundll32.exe|c8d854bf61fafc41
|
ProgramId
|
||
|
\REGISTRY\A\{b415100e-cee9-bdb0-6719-b008f86f6dd1}\Root\InventoryApplicationFile\rundll32.exe|c8d854bf61fafc41
|
FileId
|
||
|
\REGISTRY\A\{b415100e-cee9-bdb0-6719-b008f86f6dd1}\Root\InventoryApplicationFile\rundll32.exe|c8d854bf61fafc41
|
LowerCaseLongPath
|
||
|
\REGISTRY\A\{b415100e-cee9-bdb0-6719-b008f86f6dd1}\Root\InventoryApplicationFile\rundll32.exe|c8d854bf61fafc41
|
LongPathHash
|
||
|
\REGISTRY\A\{b415100e-cee9-bdb0-6719-b008f86f6dd1}\Root\InventoryApplicationFile\rundll32.exe|c8d854bf61fafc41
|
Name
|
||
|
\REGISTRY\A\{b415100e-cee9-bdb0-6719-b008f86f6dd1}\Root\InventoryApplicationFile\rundll32.exe|c8d854bf61fafc41
|
OriginalFileName
|
||
|
\REGISTRY\A\{b415100e-cee9-bdb0-6719-b008f86f6dd1}\Root\InventoryApplicationFile\rundll32.exe|c8d854bf61fafc41
|
Publisher
|
||
|
\REGISTRY\A\{b415100e-cee9-bdb0-6719-b008f86f6dd1}\Root\InventoryApplicationFile\rundll32.exe|c8d854bf61fafc41
|
Version
|
||
|
\REGISTRY\A\{b415100e-cee9-bdb0-6719-b008f86f6dd1}\Root\InventoryApplicationFile\rundll32.exe|c8d854bf61fafc41
|
BinFileVersion
|
||
|
\REGISTRY\A\{b415100e-cee9-bdb0-6719-b008f86f6dd1}\Root\InventoryApplicationFile\rundll32.exe|c8d854bf61fafc41
|
BinaryType
|
||
|
\REGISTRY\A\{b415100e-cee9-bdb0-6719-b008f86f6dd1}\Root\InventoryApplicationFile\rundll32.exe|c8d854bf61fafc41
|
ProductName
|
||
|
\REGISTRY\A\{b415100e-cee9-bdb0-6719-b008f86f6dd1}\Root\InventoryApplicationFile\rundll32.exe|c8d854bf61fafc41
|
ProductVersion
|
||
|
\REGISTRY\A\{b415100e-cee9-bdb0-6719-b008f86f6dd1}\Root\InventoryApplicationFile\rundll32.exe|c8d854bf61fafc41
|
LinkDate
|
||
|
\REGISTRY\A\{b415100e-cee9-bdb0-6719-b008f86f6dd1}\Root\InventoryApplicationFile\rundll32.exe|c8d854bf61fafc41
|
BinProductVersion
|
||
|
\REGISTRY\A\{b415100e-cee9-bdb0-6719-b008f86f6dd1}\Root\InventoryApplicationFile\rundll32.exe|c8d854bf61fafc41
|
AppxPackageFullName
|
||
|
\REGISTRY\A\{b415100e-cee9-bdb0-6719-b008f86f6dd1}\Root\InventoryApplicationFile\rundll32.exe|c8d854bf61fafc41
|
AppxPackageRelativeId
|
||
|
\REGISTRY\A\{b415100e-cee9-bdb0-6719-b008f86f6dd1}\Root\InventoryApplicationFile\rundll32.exe|c8d854bf61fafc41
|
Size
|
||
|
\REGISTRY\A\{b415100e-cee9-bdb0-6719-b008f86f6dd1}\Root\InventoryApplicationFile\rundll32.exe|c8d854bf61fafc41
|
Language
|
||
|
\REGISTRY\A\{b415100e-cee9-bdb0-6719-b008f86f6dd1}\Root\InventoryApplicationFile\rundll32.exe|c8d854bf61fafc41
|
IsOsComponent
|
||
|
\REGISTRY\A\{b415100e-cee9-bdb0-6719-b008f86f6dd1}\Root\InventoryApplicationFile\rundll32.exe|c8d854bf61fafc41
|
Usn
|
||
|
HKEY_CURRENT_USER\SOFTWARE\Microsoft\IdentityCRL\Immersive\production\Token\{67082621-8D18-4333-9C64-10DE93676363}
|
DeviceTicket
|
||
|
HKEY_CURRENT_USER\SOFTWARE\Microsoft\IdentityCRL\Immersive\production\Token\{67082621-8D18-4333-9C64-10DE93676363}
|
DeviceId
|
||
|
HKEY_CURRENT_USER\SOFTWARE\Microsoft\IdentityCRL\Immersive\production\Token\{67082621-8D18-4333-9C64-10DE93676363}
|
ApplicationFlags
|
||
|
HKEY_CURRENT_USER\SOFTWARE\Microsoft\IdentityCRL\Immersive\production\Property
|
0018C00B8FA4A2E4
|
There are 14 hidden registries, click here to show them.
Memdumps
|
Base Address
|
Regiontype
|
Protect
|
Malicious
|
|
|---|---|---|---|---|
|
17DDCFB0000
|
heap
|
page read and write
|
||
|
7FF8E7BCC000
|
unkown
|
page readonly
|
||
|
247555C0000
|
heap
|
page read and write
|
||
|
B14B4FF000
|
stack
|
page read and write
|
||
|
17DDB515000
|
heap
|
page read and write
|
||
|
7FF8E7BA1000
|
unkown
|
page execute read
|
||
|
7FF8E7BC5000
|
unkown
|
page readonly
|
||
|
C1F69BC000
|
stack
|
page read and write
|
||
|
2433C828000
|
heap
|
page read and write
|
||
|
7FF8F7140000
|
unkown
|
page readonly
|
||
|
9CA867C000
|
stack
|
page read and write
|
||
|
24755340000
|
heap
|
page read and write
|
||
|
C1F6C7E000
|
stack
|
page read and write
|
||
|
7FF8F7170000
|
unkown
|
page readonly
|
||
|
17DDB598000
|
heap
|
page read and write
|
||
|
24755360000
|
heap
|
page read and write
|
||
|
4B3EFAC000
|
stack
|
page read and write
|
||
|
17DDB520000
|
heap
|
page read and write
|
||
|
6A20DBF000
|
stack
|
page read and write
|
||
|
7FF8F716C000
|
unkown
|
page readonly
|
||
|
209CBE0D000
|
heap
|
page read and write
|
||
|
209CBD70000
|
heap
|
page read and write
|
||
|
7FF8E7BC5000
|
unkown
|
page readonly
|
||
|
297F5810000
|
heap
|
page read and write
|
||
|
2433C6D0000
|
heap
|
page read and write
|
||
|
17DDB510000
|
heap
|
page read and write
|
||
|
1F136C80000
|
heap
|
page read and write
|
||
|
297F3C60000
|
heap
|
page read and write
|
||
|
2475539F000
|
heap
|
page read and write
|
||
|
1D7B2990000
|
heap
|
page read and write
|
||
|
7FF8F7165000
|
unkown
|
page readonly
|
||
|
4B3F2FF000
|
stack
|
page read and write
|
||
|
7FF8E7BA0000
|
unkown
|
page readonly
|
||
|
2433C995000
|
heap
|
page read and write
|
||
|
F0C05FF000
|
stack
|
page read and write
|
||
|
2433C990000
|
heap
|
page read and write
|
||
|
209CBC70000
|
heap
|
page read and write
|
||
|
1D7B2A25000
|
heap
|
page read and write
|
||
|
209CBD50000
|
heap
|
page read and write
|
||
|
7FF8F716C000
|
unkown
|
page readonly
|
||
|
7FF8F7140000
|
unkown
|
page readonly
|
||
|
1D7B27A8000
|
heap
|
page read and write
|
||
|
209CBE18000
|
heap
|
page read and write
|
||
|
297F3E18000
|
heap
|
page read and write
|
||
|
209CBE00000
|
heap
|
page read and write
|
||
|
1F70A200000
|
heap
|
page read and write
|
||
|
9CA86FF000
|
stack
|
page read and write
|
||
|
7FF8E7BD0000
|
unkown
|
page readonly
|
||
|
209CC090000
|
heap
|
page read and write
|
||
|
2433E270000
|
heap
|
page read and write
|
||
|
1F70A190000
|
heap
|
page read and write
|
||
|
209CBD90000
|
heap
|
page read and write
|
||
|
297F3D40000
|
heap
|
page read and write
|
||
|
297F3D60000
|
heap
|
page read and write
|
||
|
F00738E000
|
stack
|
page read and write
|
||
|
7FF8F7165000
|
unkown
|
page readonly
|
||
|
1D7B2A20000
|
heap
|
page read and write
|
||
|
1F136AA0000
|
heap
|
page read and write
|
||
|
1F70A228000
|
heap
|
page read and write
|
||
|
24755330000
|
heap
|
page read and write
|
||
|
7FF8E7BA0000
|
unkown
|
page readonly
|
||
|
F0C04FB000
|
stack
|
page read and write
|
||
|
7FF8F7141000
|
unkown
|
page execute read
|
||
|
17DDB4E0000
|
heap
|
page read and write
|
||
|
2433C7B0000
|
heap
|
page read and write
|
||
|
297F3E10000
|
heap
|
page read and write
|
||
|
7FF8F7170000
|
unkown
|
page readonly
|
||
|
297F40D5000
|
heap
|
page read and write
|
||
|
247555C5000
|
heap
|
page read and write
|
||
|
24755397000
|
heap
|
page read and write
|
||
|
1F138580000
|
heap
|
page read and write
|
||
|
6A20D3C000
|
stack
|
page read and write
|
||
|
1D7B2720000
|
heap
|
page read and write
|
||
|
1F70A5C5000
|
heap
|
page read and write
|
||
|
297F40D0000
|
heap
|
page read and write
|
||
|
F0C06FF000
|
stack
|
page read and write
|
||
|
7FF8E7BD0000
|
unkown
|
page readonly
|
||
|
B14B1CC000
|
stack
|
page read and write
|
||
|
8EE75EE000
|
stack
|
page read and write
|
||
|
F00728C000
|
stack
|
page read and write
|
||
|
1F136C10000
|
heap
|
page read and write
|
||
|
1F136C88000
|
heap
|
page read and write
|
||
|
7FF8F7141000
|
unkown
|
page execute read
|
||
|
1D7B2710000
|
heap
|
page read and write
|
||
|
1F70A160000
|
heap
|
page read and write
|
||
|
1F136C15000
|
heap
|
page read and write
|
||
|
B14B47F000
|
stack
|
page read and write
|
||
|
1D7B2740000
|
heap
|
page read and write
|
||
|
1F70A220000
|
heap
|
page read and write
|
||
|
7FF8E7BCC000
|
unkown
|
page readonly
|
||
|
1F70A22F000
|
heap
|
page read and write
|
||
|
C1F6CFF000
|
stack
|
page read and write
|
||
|
1F70A170000
|
heap
|
page read and write
|
||
|
17DDB4D0000
|
heap
|
page read and write
|
||
|
24755390000
|
heap
|
page read and write
|
||
|
17DDB590000
|
heap
|
page read and write
|
||
|
7FF8E7BA1000
|
unkown
|
page execute read
|
||
|
8EE756E000
|
stack
|
page read and write
|
||
|
1F136B80000
|
heap
|
page read and write
|
||
|
1D7B27A0000
|
heap
|
page read and write
|
||
|
209CBD70000
|
heap
|
page read and write
|
||
|
2433C7D0000
|
heap
|
page read and write
|
||
|
1F136BA0000
|
heap
|
page read and write
|
||
|
24756EB0000
|
heap
|
page read and write
|
||
|
1F70A5C0000
|
heap
|
page read and write
|
||
|
4B3F27F000
|
stack
|
page read and write
|
||
|
6A2107F000
|
stack
|
page read and write
|
||
|
9CA877F000
|
stack
|
page read and write
|
||
|
2433C820000
|
heap
|
page read and write
|
||
|
8EE74EC000
|
stack
|
page read and write
|
||
|
F00730F000
|
stack
|
page read and write
|
There are 101 hidden memdumps, click here to show them.